NFP: Control Plane is the third of 8 modules in this CCNA Security certification curriculum. Network Foundation Protection is a security framework that provides with strategies to protect three functional areas of a device: Management Plane, Control Plane, and Data Plane. In this course we will focus on the Control Plane functionality and we will look at topics such as MAC address table, CAM table overflow, VTP, CDP, routing protocol authentication (RIP, OSPF, EIGRP, BGP), BGP TTL-Security, FHRP, passive interface, control plane policing, and control plane protection.

What Pre-Requisites are There for This Course?

If this was a single course covering the entire CCNA Security blueprint, the pre-requisite would have been the CCENT certification or equivalent knowledge. Since this is just a subset of the CCNA Security blueprint, for this specific portion it is recommended that you start with the INE Security Concepts and NFP: Management Plane courses. Additionally, you should have basic routing and switching knowledge.

Why Should You Watch This Course?

This course covers topics for the CCNA Security certification and is the perfect first step towards becoming a security expert. Our CCNA Security content gives you the foundational network infrastructure security knowledge to not only become a hero at work, but eventually become a master in the security field. With the expertise obtained from this course, you will be able to implement valuable skills such as maximizing device uptime and implementing secure routing solutions.

Who Should Watch?

This course is for anyone interested in pursuing the CCNA Security certification, or simply interested in gaining knowledge about network security in the control plane functionality of infrastructure devices.

About the Instructor

Gabe started his network engineering career in 2010 as a Co-Op at Cisco Systems in Herndon, VA. He landed a full-time position as a network consulting engineer and moved to Raleigh, NC, where he worked at Cisco from 2011-2013. He later moved to a network support role at ePlus Technology, a Cisco Gold Partner, where he worked from 2013-2016. Gabe is currently working at Cisco as a test engineer and has been teaching CCNA R&S, CCNA Security, and CCDA classes at Wake Technical Community College. Certifications that Gabe holds are: CCNA R&S, CCNA Security, CCNA Wireless, CCDA, CCNP R&S, and CCDP. Gabe is currently busy developing the CCNA Security course for INE and studying for his CCNP Security certification.

With the help of expert instructor Mbong Hudson Ekwoge, you will learn how to provision and manage services in Azure, and how to implement infrastructure components such as virtual networks, virtual machines (VMs), web and mobile apps, and storage in Azure. As a student, you will also discover how to plan for and manage Azure Active Directory and configure it's integration with on-site Active Directory domains.

It is undeniable that Artificial Intelligence and Automation are in the minds of the public. With major corporations such as Google, Amazon, Facebook, and Microsoft making the news on their artificial-intelligence research and products, and personalities such as Elon Musk, Bill Gates, and Stephen Hawking holding interviews warning of an A.I. apocalypse, it's no wonder people are talking about it.

Artificial Intelligence has recently migrated into Information Technology, with several companies providing solutions for IT Operations. Executives and managers are quickly eyeing it up, excited by its abilities to make employees more efficient, reduce downtime, and minimize staffing. The marketing for these products is very positive, extolling the simplicity of operations and their effectiveness. The algorithms, as it is explained, will handle everything.

There is a configuration cost to get it up and running and to keep it running smoothly that management may not see at first. There is no "Easy" button here. Depending on the organization, implementing an A.I. and automation platform may require thousands of hours of work. This article aims to provide some thoughts on prerequisites to using A.I. in your IT infrastructure.

The first requirement is management access. These A.I. algorithms work with large amounts of data. They want to see everything, so it can be potentially correlated. Thus, we need access to everything from where the A.I. system will be installed. All devices need to be accessible via some form of management network including servers, switches, routers, firewalls, power strips, UPS's, KVM’s, and more. Effectively, anything that has the option of connecting an Ethernet cable and configuring an IP address, needs to have that done.

Unless you have an existing inventory of every device that uses a power cable, this step will probably also require a full inventory of all equipment at every location. Many of these devices may be managed by other departments as well, requiring internal resources and collaboration. This is also an important step for many other reasons, and is highly recommended before continuing.

Be sure to name these devices in a consistent manner. Most of the algorithms in use require similar wording used between devices in a logical or physical area in order to increase matching probability. This will require the formulation of a corporation-wide naming standard, and potentially renaming hundreds or thousands of devices.

Regarding the network itself, depending on your environment, you may not have a management network, or you may have an unfinished one. So you'll need to design and create one for each of your locations, and get that routed properly. Or, maybe you have a very large environment with many management networks for various purposes and departments. Those will need to be identified, routes may need to be created, VPN SA’s may need reconfiguration, and ACL’s opened to the location of the A.I. system.

Now that there is a management network that can communicate between all devices and your A.I. system, you need to provide management services to it. The first thing that comes to mind is SNMP. A modern network should have SNMPv3 configured if a device supports it, which requires some security design effort as well. MIB’s may have to be found, or OID’s walked. Devices will need to be configured to report all SNMP traps possible, and to allow polling from the A.I. collector.

Next up would be Syslog. Preferably with encryption if supported for each device. This step would be best designed with a series of Syslog collection servers, local to each location, then forwarding those localized collections to the A.I. collector. This would require design and implementation time for such a distributed Syslog system. Part of that system would most likely include an ELK stack implementation on top of it for additional analysis, which can be very involved.

There may be other monitoring systems already in-place, performing up/down detection, resource utilization alerting, and synthetic transactions. Similarly, systems such as vCenter and AWS Cloudwatch may be used. Each of these systems would need to be configured to copy all alerts to the A.I. collector. These configurations may also need to be customized for the collector, as the A.I. will want to know about events sooner and more frequently than an email alert to IT personnel.

It’s very likely these reporting systems may send alerts to a ticketing system or collaboration service, which should also be integrated into the A.I. platform as an output. Once the algorithms detect a highly-probable issue, a ticket can be created for front line personnel. This may also require configuration and scaling considerations for your email server, depending on how it is integrated.

So far, we’ve talked about the setup of the networked devices, to allow for detection of issues. Once these alerts are investigated, they need an action performed. If an organization wishes to enable automation, that is, the automatic resolution of alerts from these A.I. systems, there needs to be remote management access provided to all devices. Not in the form of data flow from the networked devices, but the remote access of them. Remote access methods such as SSH, and Powershell are most common today. If a device is too old or not licensed to run SSH or Powershell for example, that device will need to be replaced or upgraded. The configuration of this remote access requirement may also be lengthy.

The automation methods provided usually rely on scripts of some kind. Scripts you may want to run via an automation system such as Ansible, rather than individual shell scripts. Again, we find a system that needs planning and implementation. This also requires personnel to write resolution scripts and playbooks for each issue that is detected, which would require personnel who know how to code, and certainly take a lot of time initially.

Finally, these A.I. alerts and resolutions only happen when the algorithm has a high level of confidence that an issue is correct. That means personnel need to train the system, especially in the beginning. There are usually many algorithms that work together, each one using a different set of rules, which requires care and validation. Algorithms are diverse and may include the ability to detect relationships between alerts based on source type, physical or logical proximity, time, language usage, and topology analysis.

As you can see, there is no "Easy" button here. A.I. platforms, their automation systems, and their algorithms are extremely powerful today, but they require planning, lots of preparatory work, and training once running. They cannot be implemented quickly, as a quick fix for lack of enough personnel, and in fact, will require more personnel during the implementation and configuration phase. When properly planned for and implemented, an A.I. system can be an important enhancement to IT Operations.

About The Author

Andrew is a seasoned IT engineer with over 12 years of experience. He started out in IT as an Assistant Computer Technician, blowing dust out of computers for a school district, moving up through the ranks to Systems Administrator, Network Engineer, and IT Manager. He currently works for an international satellite communications company, ensuring LAN and WAN connectivity for a large network of ground stations and customers such as NASA, ESA, JAXA, Boeing, The U.S. Air Force, and more. Andrew holds numerous Cisco and CompTIA certifications and is a part-time Cisco Instructor.

Andrew's hobbies outside of technology include many outdoor activities, such as hiking and canoeing. He is currently learning woodworking, and is working on a 17' cedar wood-strip canoe in his garage, much to his wife's dismay. He lives in Pennsylvania, where his family has been for generations, dating back to 1754. Andrew lives with his wife, young daughter, and too many pets. You can reach Andrew by visiting his website, andrewcrouthamel.com.

Tune into Marco Alves new SD-WAN Overview Course to learn about the past, present and future of the SD-WAN landscape and technologies.

This course provides an overview of SD-WAN, including a basic introduction to the technology, a vendor landscape highlighting the differences between the main competitors in the space, as well as a market adoption discussion and industry forecast. After completing this course you will be able to discuss what SD-WAN is and what the current offerings available are.

You can learn more about this course by visiting ine.com or by logging into your All Access Pass members account. Don't have an All Access Pass? Start your 7-day free trial here.

This course is specifically designed to prepare you for the CCNA Cyber Ops labs once they are released. As any expert will tell you, in order to truly master something you need to go beyond a surface understanding and delve into the core of the subject you're studying. Our CCNA Cyber Ops Labs - Create Your Labs Course helps you do just that, it is the ultimate guide to prepare you for the lab portion of the CCNA Cyber Ops Exam. In this video, Bassam Alkaff goes beyond simply familiarizing you with hands on labs and their related tools, he also teaches you how to make your own home labs and understand the core usage and important features of the tools used in them, setting you on the path towards CCNA, CCNP and CCIE Success.

Many people think that the network is static just like the roads they drive to work on, always physically there and never changing or improving. Like a road handles all types of vehicles, our network needs to be fast enough to handle high-speed traffic applications, such as video streaming and video conferencing, while also being robust enough to handle extra-large data files for everything from documents, to 3D printing, to CNC machine instructions. Our network needs to work with small IoT devices, a variety of mobile devices, desktop systems, and even remote access from everywhere, all while protecting both the data and our users.

Since network administrators know that the network is always changing and improving, we must make plans 30+ days in advance to keep up with what our users are demanding from their systems. So, let’s look at some of the exciting things that are starting to appear, or will appear in the future, that will impact our jobs as Network Professionals.

Internet of Things

It seems like every day in the network industry we are hearing about IoT, the Internet of Things. What does that really mean to those of us supporting the Network? It means that potentially every user may have 1 or more devices that all need access to the network.

There are now Wi-Fi enabled coffee makers that users can get for their offices. It allows users to remotely start coffee so it is ready at their desk when they get into their office. If your office has 50 – 100 people, can your network handle 20-30 coffee makers? How would you secure them and protect your network? How will you upgrade your Wi-Fi to handle the added devices?

What about your remote workers? What network devices do they have connected to your network when they remotely log in? If your remote users log in to do work and items on their home network get disconnected, do you have a policy on how your I.T. department will support them or are they on their own for the home network?

The “Green” Movement

One of the growth areas in the network industry is the “Green” movement, reducing power usage while being more environmentally friendly. Do you have plans to deploy energy monitors, smart thermostats, power plugs, door locks or the latest generation of smart “green” network switches or access points on the network backbone? Do you know how these items will impact your network, reliability and user access?

Server Room Technology

Let us look at the “back of the house” to see some of the exciting changes coming for our server rooms. When looking at server room technology, most of it will touch and impact our network in areas such as routing, data flow, and amount of data needed. Some of the biggest changes and challenges in this area are currently the expanded use of Server Virtualization, SDNs (software defined networks), SD-WANs (software defined – wide area networks), NFVs (network function virtualization), edge computing, network cloud services, server OS upgrades, cybersecurity and remote access for workers.

Each of these items will impact every network differently depending on the individual network setup. How can you minimize risks and maximize benefits to your network infrastructure? By continuing to study, update and expand your certifications and qualifications so you understand how each piece of the network interacts with the other pieces.

I am most excited about working with the new Windows Server 2019 as Microsoft is embracing features such as SDN, virtual peer networking, encryption as well as other features. As network professionals I believe we need to understand more than just network hardware such as routers, switches and firewalls. We need to understand and “play” with the server OS’s, the devices that our employees and customers will be using to access the network.

While you may not be the day to day support for those other areas, having a good understanding of what they do and how they do it can help you troubleshoot your network issues to quickly determine if you have a network hardware issue, a client system issue or server issue that is impacting the network.

Here is an example of how important this is. Let’s say you have an engineering firm with 100 CAD engineers on the network. The company bills customers $150 per hour for each engineer. That equates to $15,000 of billable income per hour to the company. You come in at 8 AM, the network is down, everyone is already frustrated and upset because no one can get billable work done. Do you know where to start? Without a good understanding of everything on the network, it could take you 10 hours to figure out. That amounts to $150,000 of lost billable income to the company. Now, as a Certified Network Professional with additional cross training and certifications, you are able to look at the logs and figure out that a user plugged in a device, such as a cell phone, to their systems USB port and it is generating a Denial of Service on the LAN. Instead of your company being down for 10 hours, you have it fixed in 15 minutes by removing the offending device and rebooting the system. Which Network Professional do you want to be?

Linux

I am also excited about the continued updates and features to the different Linux operating systems and its expanded uses in IoT and items such as Raspberry Pis and Arduino. Some of the coolest network hardware devices are the “idiot” proof Wi-Fi mesh systems that users are getting installed in their homes, such as Eero, and the New Linksys systems, currently owned by Belkin. These systems make it easier build a mesh network in the office or at home for remote users. They are easy to setup and maintain out of the box. If you want to expand even more, you can get Open Mesh which has even more features for a Corporate setup. With the knowledge you gain from your certifications, you will be able to setup, deploy and troubleshoot these solutions with confidence.

Attivo ThreatDefend

One of the coolest items that came out of the Black Hat 2018 conference was Attivo ThreatDefend. The system is designed to protect nontraditional items such as IoT streaming camera servers. It will be interesting to see how much traffic it adds to the network load it is trying to defend.

As you can see, this is a great time to be in the networking industry. We are the “backbone” of the modern world. We build, defend, upgrade, and improve the networks that allow others to do their jobs, play their games and of course watch their favorite YouTube cat videos on demand. The Information Technology field is one of the most rewarding and most challenging jobs you can have. In my experience, 99% of the people you know will not understand what you do, but that is okay because we can smile knowing that we, the Certified IT Professionals are what keeps the modern world working 24 hours a day, 7 days a week.

The role of the network will keep growing and so will the challenges. Be sure you are able to keep up with the changes by staying on top of the developing trends, keeping up your certifications, and expanding your education in the Information Technology field through additional training and certifications.

About The Author

With more than 15 years of industry experience, Melissa's background includes multiple CompTIA certifications, a MCTS, a Bachelor of Applied Science and a Master of Information Systems. Melissa's most loved challenge is bringing the "aha" moment to every learner.

This course will cover an introduction through advanced understanding of Cisco Firepower and Cisco Firepower Threat Defense. All Firepower policies are covered in detail, as well as how to configure and implement Firepower Threat Defense devices.

IT Automation has been a hot topic for the last few years. As network engineers, we are no stranger to the disruption known as network automation that has rocked the industry and turned its head upside down.

One of the leading automation frameworks that is quickly becoming the de-facto tool for network automation is Ansible. A quick Google search would reveal the reasons behind its popularity, you can also check out the introduction video of my INE course on Ansible for some of my personal beliefs on why Ansible can work for you. (Spoiler alert: it is simple, powerful, and agentless.)

One confusing point for people who are new to Ansible might be the name itself. Ansible is both the name of the open source community project sponsored by Red Hat as well as the company supporting the framework. (Quick trivia: the tool was named after the fictional faster-than-light communication technology as appeared in the 1977 book Ender’s Games.) Every year, the Ansible company hosts an event, known as AnsibleFest, to talk shop, have fun, and celebrate the awesome people in the community.

This year, AnsibleFest was held in Austin, Texas, in the first week of October. My friend Rich Groves and I were invited to speak at the first network automation breakout session based on our work in the Distributed Denial-of-Service (DDoS) space using Ansible. If you are interested in our session, you can check out our GitHub repository and the videos archive.

5 Lessons Learned

The event was awesome, fun, and exciting. It was a perfect combination of learning new material while still having a good time doing so. In this post, let me share with you the five things I learned from my experience at AnsibleFest 2018.

1. Network Automation is Killing it

I remember it was only about 2.5 years ago that Ansible announced they were extending Ansible to include network automation support. At the time, Ansible did not even include support for Cisco IOS, which severely limited its application for many of the production networks. The AnsibleFest that year had only three tracks: Use Cases, Tech Deep Dives, and Best Practices with some network automation talks sprinkled in.

Fast forward to AnsibleFest 2018, the tracks have greatly expanded to Ansible Integration, Business Solutions, Community & Culture, and of course, Network Automation. There were also focused tutorials and community events with specific focus, such as documentation. The event was the most attended AnsibleFest to date with over 1,200 attendees.

Not only is the framework popular, in a little over two years, Network Automation is now at the front and center of the framework. As Jeff Geerling, author of the very popular book ‘Ansible for DevOps’, puts it:

"If I've learned anything in the past couple years, it's that Ansible is _killing_it in the network automation space. #ansiblefest #ansible"

For users of the framework, there are tangible rewards by virtue of using a framework that is also used by many like-minded people. The bugs are discovered and fixed quickly, features are more likely to get added, and the things you want to do are likely to be shared by other engineers. Also, your investment of time and effort in using and adopting the framework will likely yield a longer return. In technology and in life, it is good to be the popular kid on the block.

2. Network Automation gets support

One of the main concerns of network automation in the enterprise world has always been the support (or lack thereof) from a trusted vendor. After all, nobody gets fired for buying IBM. For big players like Google, Facebook, and Microsoft, they can afford to have a team of engineers handling the development, maintenance, and support of the automation tool of choice. In fact, they often develop in-house tools that are tailored for them because they have such capabilities.

Enterprises, on the other hand, have to deal with a diverse set of technologies with limited usage of each. On a daily basis, an enterprise network engineer might need to deal with email and web servers, networking, active directory, database, and other technologies. To this end, Red Hat has announced an Ansible Certified Content program. It is basically a program where Ansible modules can be submitted to be tested, validated and checked for compatibility in production. It is a new program so the details are still being worked out. To be sure, all Ansible modules have gone through basic automated testing, but this is taking it a bit further.

At launch, the partners include Cisco (ACI, NSO, NX-OS, and UCS), CyberArk, F5 Networks, Infoblox, NetApp, and Nokia. (Did I mention networking is at the front and center of Ansible?)

3. New Security Automation focus

One of the surprise announcements this year in the keynote session is the addition of security automation. To me, it makes sense since Ansible is one framework able to automate everything from servers to networks and everything in-between. A good security coverage is a continuous process that requires locking down all aspects of IT.

The immediate use case for security automation is compliance testing. As anybody who has gone through PCI-DSS, HIPAA, or STIG compliance can tell you, it takes a special person to wake up in the morning and be excited to go through the process. For the rest of us, why not just offload it to Ansible? Perhaps one day we will be able to run a playbook and check off that compliance box without missing a beat in our afternoon inter-department ping-pong tournament.

4. Ansible Network Engine is here

The big push in the network automation track this year, in my opinion, is Ansible Network Engine. Many of us have used Ansible roles before, for some vendors such as Juniper, Juniper.junos Ansible role is their preferred way of Ansible automation with Juniper devices. Basically, Ansible roles are reusable units of code within Ansible to be distributed together. Ansible Network Engine is a set of consumable functions distributed as Ansible Roles. It provides another abstraction layer so the operator or application interacting with it would not need to know the specific network module or plugin underneath. On the vendor side, it provides a faster iteration for adding new functions without waiting for the normal Ansible release cycle.

There are a number of sessions that touch on the operation and inner workings of network engine, including Peter Sprygada’s Wednesday morning session on ‘From Developer to Operator’ and Trishna Guha’s session on ‘Introducing Ansible Network Engine role for Network Automation’. I would encourage you to watch the session recordings when they are available. I know I will be re-watching the sessions to make sure I did not miss anything important.

5. You still need to be a network engineer

As Justin Nemmers, General Manager for Red Hat Ansible, said in his keynote, “Ansible is not about cutting a 10-person team down to 8, it is about making the same 10-person team do the work equivalent of 100-person team. It is about taking the existing domain knowledge and automating the boring tasks so you can focus on the more interesting and challenging work that is harder to automate.”

By the same token, a network automation framework can automate a mistake much faster than non-automation human work. Imagine the last time you jammed your big toe into a desk corner, now imagine doing that ten times faster with a much bigger force. I know, I have been there. You can’t automate something you are not already comfortable with. Ansible is not a silver bullet that can solve all of your problems, you still need to know your network, know your customers, and work with people. It is not here to replace you, but it can upgrade that Cisco device much faster with no mistakes, helping you get home in time to make your kid's soccer practice.

Looking Ahead

Hopefully I have piqued your interest in Ansible with this post. So what can you do to get started?

1. Start small, start today

There are hundreds of modules in the Ansible framework, chances are there are modules that you can leverage today. Pick something that is low risk and get started immediately. It is a simple tool by design, check out this recent tweet by Michael DeHaan, creator of Ansible:

"Ok that is better, yet: Anyone using ansible for a few months is as good as anyone using ansible for three years. It's a simple tool on purpose. Also a couple of years of ops experience and ten are not that different - we all have to help fight job requirements inflation."

2. Join the community

The Ansible community is big. There are so many educational events, local meetups, workshops, online meetings, and other opportunities to socialize with other users. Go talk to other people about Ansible and learn about the essentials at a meet-up near you.

3. Keep your skills sharp

We have gone over this, but it is worth repeating. You can’t automate what you don’t know. Keep up with your day job and use Ansible as a tool to help you take it to the next level.

Happy network automation!

About the Author:

Eric Chou is a seasoned technologist with over 17 years of experience. He has worked on, and helped manage, some of the largest networks in the industry while working at Amazon Web Services, Microsoft Azure, and other companies. Eric is passionate about network automation, Python, and helping companies build better security postures. Eric is the author of 'Mastering Python Networking' (Packt Publishing, 1st and 2nd edition), and the author of INE video classes on Ansible, Python, and SDN.